Reference: Anti-malware settings

Client Interface

Display additional text to clients when they need to perform an action

Set a custom message to display to users when they need to perform an action. The string must be less than 1024 characters.

Example: Contact our company help desk at 555-1212 for more help.

Display notifications to clients when they need to perform actions

Configure whether to display notifications to users when they need to perform an action.

Enable headless UI mode

Configure whether to display the Windows Defender UI to users.

Suppresses reboot notifications

Configure whether to show reboot notifications.

Exclusions

Extension Exclusions

Specify file extensions excluded from scanning.

IP address range Exclusions

Exclude IP addresses from network scanning.

Example: 157.1.45.123-60.1.1.1

Path Exclusions

Specify file paths excluded from scanning.

Example: C:\Program Files

Port number Exclusions

Exclude TCP ports from network scanning.

Example: 17472

Process Exclusions for outbound traffic

Exclude outbound traffic from a process from network scanning.

Example: C:\Windows\Program.exe

Threat ID Exclusions

Exclude specific threats from network scanning.

Example: 2925110632

Turn off Auto Exclusions (Defender Only)

Turn Automatic Exclusions on or off.

MAPS

Configure local setting override for reporting to Microsoft MAPS

Allow the local preference for joining the Microsoft Active Protection Service to override group policy.

Join Microsoft MAPS

Join the Microsoft Active Protection Service.

Send file samples when further analysis is required

Configure how samples are sent to the Microsoft Active Protection Service.

Network Inspection System

Define the rate of detection events for logging

Control the time interval in minutes for logging of detection events. Each event is logged at most once per time interval.

Example: 30

Default: 60

Specify additional definition sets for network traffic inspection

Specify additional definition sets to enable for network scanning. Each value should be a GUID of a definition set to enable.

Example: {b54b6ac9-a737-498e-9120-6616ad3bf590}

Turn on definition retirement

Control whether Windows Defender scans for known network vulnerabilities after they are patched.

Turn on protocol recognition

Control whether network protocol recognition is used to protect against attacks from known vulnerabilities.

Quarantine

Configure local setting override for the removal of items from Quarantine folder

Allow the local preference for the number of days to keep items in the quarantine folder to override group policy.

Real-time Protection

Configure local setting override for monitoring file and program activity on your computer

Allow the local preference for file and program activity to override group policy.

Configure local setting override for monitoring for incoming and outgoing file activity

Allow the local preference for monitoring of incoming and outgoing file activity to override group policy.

Configure local setting override for scanning all downloaded files and attachments

Allow the local preference for scanning downloaded files and attachments to override group policy.

Configure local setting override for turn on behavior monitoring

Allow the local preference for behavior monitoring to override group policy.

Configure local setting override for turn on script scanning (SCEP Only)

Enable or disable script scanning. Setting is enabled by default.

Configure local setting override to turn off Intrusion Prevention System

Allow the local preference for network scanning to override group policy.

Configure local setting override to turn on real-time protection

Allow the local preference for turning on real-time protection to override group policy.

Configure monitoring for incoming and outgoing file and program activity

Configure whether incoming or outgoing files are scanned. On servers with heavy network traffic, disabling scanning for a particular direction can help to achieve optimal network performance. This setting is only applicable to NTFS volumes.

Define the maximum size of downloaded files and attachments to be scanned

Configure the maximum size of downloaded files and attachments to scan. The value is the maximum file size in kilobytes.

Example: 524288

Monitor file and program activity on your computer

Configure monitoring of file and program activity.

Scan all downloaded files and attachments

Configure scanning of downloaded files and attachments.

Turn off real-time protection

Configure whether users are prompted when known malware is detected.

Turn on behavior monitoring

Turn behavior monitoring on or off.

Turn on Information Protection Control

Turn Information Protection Control on or off.

Turn on network protection against exploits of known vulnerabilities

Configure network protection from known vulnerabilities.

Turn on process scanning whenever real-time protection is enabled

Configure whether all processes are scanned when real-time protection is first turned on. This can detect malware that starts when real-time protection is off.

Turn on raw volume write notifications

Configure notifications of raw volume writes.

Turn on script scanning (SCEP Only)

Configure script scanning.

Remediation

Configure local setting override for the time of day to run a scheduled full scan to complete remediation

Allow the local preference for the scheduled scan time to override group policy.

Specify the day of the week to run a scheduled full scan to complete remediation

Schedule the day of the week to perform a full scan.

Specify the time of day to run a scheduled full scan to complete remediation

Specify the time of day to perform a full scan. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.

Example: 180

Reporting

Configure time out for detections in critically failed state

Set the time in minutes for a "critically failed" detection to move to "additional action" or be "cleared."

Example: 7200

Configure time out for detections in non-critical failed state

Set the time in minutes to "clear" a "non-critically failed" detection.

Example: 7200

Configure time out for detections in recently remediated state

Sets the time in minutes to "clear" a "completed" detection.

Example: 7200

Configure time out for detections requiring additional action

Set the time in minutes to "clear" an "additional action."

Example: 7200

Configure Watson events (SCEP Only)

This policy setting allows you to configure whether or not Watson events are sent. This value has been deprecated as of the February 2015 anti-malware platform update (http://support.microsoft.com/kb/3036437).

Configure Windows software trace preprocessor components

Configure Windows software trace preprocessor.

Configure WPP tracing level

Configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). The allowed values are (1) Error (2) Warning (3) Info (4) Debug.

Example: 1

Scan

Allow users to pause scan

Allow users to pause a scan while it is in progress.

Check for the latest virus and spyware definitions before running a scheduled scan

Check for new virus and spyware definitions before running a scan. This does not apply to scans started manually from the user interface.

Configure local setting override for maximum percentage of CPU utilization

Allow the local preference for maximum CPU utilization to override group policy.

Configure local setting override for schedule scan day

Allow the local preference for the scheduled scan day to override group policy.

Configure local setting override for scheduled quick scan time

Allow the local preference for the scheduled quick scan time to override group policy.

Configure local setting override for scheduled scan time

Allow the local preference for the scheduled scan time to override group policy.

Configure local setting override for the scan type to use for a scheduled scan

Allow the local preference for the scan type to use during a scheduled scan to override group policy.

Create a system restore point

Configure whether a daily system restore point is created on an endpoint before it is cleaned.

Define the number of days after which a catch-up scan is forced (Defender Only)

Specify the number of consecutive scheduled scans that can be missed until a forced catch-up scan is run.

Example: 2

Default: 2

Run full scan on mapped network drives

Configure whether mapped network drives are scanned.

Scan archive files

Configure whether archive files are scanned. Archive files are .zip or CAB files.

Scan network files

Configure whether network files are scanned.

Scan packed executables

Configure whether packed executables are scanned.

Scan removable drives

Configure whether removable drives, such as USB flash drives, are scanned when running a full scan.

Specify the interval to run quick scans per day

Configure the quick scan interval in hours. The value 0 means that quick scans are never scheduled.

Example: 24

Default: 0

Specify the maximum depth to scan archive files

Set the maximum directory depth that archive files are unpacked during scanning. Archive files are .zip or CAB files.

Example: 1

Default: 0

Specify the maximum percentage of CPU utilization during a scan

Set the maximum percentage CPU utilization allowed during a scan. Valid percentage values can range from 5 to 50. The value 0 means that there is no limit.

Example: 5

Default: 50

Specify the maximum size of archive files to be scanned

Set the maximum size of archive files that are scanned. Archive files are .zip or CAB files. The value is the number of kilobytes. The value 0 means that there is no size limit.

Example: 1048576

Default: 0

Specify the scan type to use for a scheduled scan

Specify the scan type used during scheduled scans. By default, scheduled scans use quick scans.

Specify the time for a daily quick scan

Specify the time of day when a daily quick scan runs. The value is the number of minutes past midnight in the local time for the endpoint to perform the scan.

Example: 180

Default: 120

Start the scheduled scan only when computer is on but not in use

Set whether scans should only begin if the endpoint is idle.

Turn on catch-up full scan

Configure whether to start a full scan if two consecutive scheduled scans are missed. The full scan starts the next time someone logs in after the scheduled scans are missed.

Turn on catch-up quick scan

Configure whether to start a quick scan if two consecutive scheduled scans are missed. The quick scan starts the next time someone logs in after the scheduled scans are missed.

Turn on e-mail scanning

Configure whether email and email attachments are scanned.

Turn on heuristics

Heuristics improve the capabilities of Windows Defender to flag new threats.

Turn on removal of items from scan history folder

Configure the number of days that items are kept in the scan history folder before being permanently removed. The value 0 means that items are never removed from the history folder.

Example: 7

Default: 30

Turn on reparse point scanning

Configure whether reparse points are scanned. Reparse points are followed to a maximum depth, so a recursive reparse point might slow down scanning, but it does not cause an error.

Signature Updates

Allow definition updates from Microsoft Update

Enable definition updates to be downloaded from Microsoft Update even if Automatic Updates are configured to use a different download source.

Allow definition updates when running on battery power

Configure whether definitions are updated when an endpoint is running on battery power.

Allow notifications to disable definitions based reports to Microsoft MAPS

Enable receiving notifications from MAPS to disable definitions that are causing false positives. MAPS must be configured on an endpoint to successfully use this functionality.

Allow real-time definition updates based on reports to Microsoft MAPS

Enable real-time definition updates if MAPS finds that the latest definition update has definitions for a threat involving an unknown file. MAPS must be configured on an endpoint to successfully use this functionality.

Check for the latest virus and spyware definitions on startup

Specify whether definition updates should be checked at service startup.

Define file shares for downloading definition updates

Set UNC file shares for downloading definition updates. The file shares are tried in the order specified.

Example: \\corp\updates

Define the number of days after which a catch-up definition update is required

Specify the number of days that can pass before a forced catch-up definition update.

Example: 7

Default: 1

Define the number of days before spyware definitions are considered out of date

Set the number of days that can pass before spyware definitions are considered out of date.

Example: 7

Default: 14

Define the number of days before virus definitions are considered out of date

Set the number of days that can pass before virus definitions are considered out of date.

Example: 7

Default: 14

Define the order of sources for downloading definition updates

Specify the order for definition update sources to be contacted.

Initiate definition update on startup

Configure whether definitions are updated on startup when there is no antimalware engine.

Specify the day of the week to check for definition updates

Specify the day of the week to check for definition updates. By default, updates are checked every day.

Specify the interval to check for definition updates

Specify the definition update check interval in hours.

Example: 12

Specify the time to check for definition updates

Specify the time of day to check for definition updates. The value is the number of minutes past midnight in the local time for the endpoint to check for definition updates. By default, definition updates are checked 15 minutes before the scheduled scan time.

Example: 120

Turn on scan after signature update

Configure whether a scan should start after a definition update.

System Center Endpoint Protect

Turn on Potentially Unwanted Application (PUA) detection (SCEP Only)

Block PUAs from being downloaded through Internet Explorer, Firefox, and Chrome.

Turn on threat file hash logging (SCEP Only)

Record any detected threat files in the event log for additional research and correlation with other threat streams.

Turn on virus definitions (SCEP Only)

Manage virus definitions used during a scan.

Threats

Specify threat alert levels at which default action should not be taken when detected

Customize the remediation action to take for each threat alert level.

Specify threats upon which default action should not be taken when detected

Customize the remediation action to take for each detected Threat ID.

Windows Defender

Allow antimalware service to remain running always

Choose whether the Windows Defender service keeps running when virus and spyware definitions are disabled.

Allow antimalware service to startup with normal priority

Modify the startup priority of the Windows Defender service. This might impact performance.

Configure local administrator merge behavior for lists

Control whether local preferences for exclusions and threats are merged with group policy.

Define addresses to bypass proxy server

Bypass the proxy for a specific IP address. The value must be a valid URL.

Define proxy server for connecting to the network

Configure a proxy to use for downloading definition updates or reporting events to MAPS. By default, the following settings are used in order: (1) Internet Explorer proxy settings (2) Auto-detect (3) None.

Randomize scheduled task times

Randomize the start time of scheduled tasks.

Turn off routine remediation

Control whether Windows Defender automatically remediates threats.

Turn off Windows Defender

Turn Windows Defender on or off.

Last updated: 9/7/2018 3:02 PM | Feedback